Python: Add missing taint steps

Author: yoff

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -243,26 +243,62 @@ private module StdlibPrivate {
     }
   }
 
+  // Functions with non-standard arguments:
+  // - os.path.join(path, *paths)
+  // - os.path.relpath(path, start=os.curdir)
+  // Functions that need summaries:
+  // - os.path.commonpath(paths): takes a sequence
+  // - os.path.commonprefix(list): takes a list argument
+  // - os.path.splitdrive: retunrs a tuple
+  // - os.path.splittext: returns a tuple
+  private string pathComputation() {
+    result in [
+        "abspath", "basename", "commonpath", "dirname", "expanduser", "expandvars", "join",
+        "normcase", "normpath", "realpath", "relpath", "split"
+      ]
+  }
+
   /**
-   * A call to `os.path.normpath`.
-   * See https://docs.python.org/3/library/os.path.html#os.path.normpath
+   * The `os.path` module offers a number of methods for computing new paths from existing paths.
+   * These should all propagate taint.
    */
-  private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
-    OsPathNormpathCall() { this = os::path().getMember("normpath").getACall() }
+  private class OsPathComputation extends DataFlow::CallCfgNode {
+    string methodName;
 
-    DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
+    OsPathComputation() {
+      methodName = pathComputation() and
+      this = os::path().getMember(methodName).getACall()
+    }
+
+    DataFlow::Node getPathArg() {
+      result in [this.getArg(0), this.getArgByName("path")]
+      or
+      methodName = "join" and result = this.getArg(_)
+      or
+      methodName = "relpath" and result in [this.getArg(1), this.getArgByName("start")]
+    }
   }
 
-  /** An additional taint step for calls to `os.path.normpath` */
-  private class OsPathNormpathCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+  /** An additional taint step for path computations. */
+  private class OsPathComputationAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(OsPathNormpathCall call |
+      exists(OsPathComputation call |
         nodeTo = call and
         nodeFrom = call.getPathArg()
       )
     }
   }
 
+  /**
+   * A call to `os.path.normpath`.
+   * See https://docs.python.org/3/library/os.path.html#os.path.normpath
+   */
+  private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
+    OsPathNormpathCall() { this = os::path().getMember("normpath").getACall() }
+
+    DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
+  }
+
   /**
    * A call to `os.path.abspath`.
    * See https://docs.python.org/3/library/os.path.html#os.path.abspath
@@ -273,16 +309,6 @@ private module StdlibPrivate {
     DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
-  /** An additional taint step for calls to `os.path.abspath` */
-  private class OsPathAbspathCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(OsPathAbspathCall call |
-        nodeTo = call and
-        nodeFrom = call.getPathArg()
-      )
-    }
-  }
-
   /**
    * A call to `os.path.realpath`.
    * See https://docs.python.org/3/library/os.path.html#os.path.realpath
@@ -293,16 +319,6 @@ private module StdlibPrivate {
     DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
-  /** An additional taint step for calls to `os.path.realpath` */
-  private class OsPathRealpathCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(OsPathRealpathCall call |
-        nodeTo = call and
-        nodeFrom = call.getPathArg()
-      )
-    }
-  }
-
   /**
    * A call to `os.system`.
    * See https://docs.python.org/3/library/os.html#os.system